mirror of
https://git.yoctoproject.org/poky
synced 2026-05-08 17:19:20 +00:00
cracklib: update 2.9.5 -> 2.9.7
(From OE-Core rev: d5486e497db0582d9b30ecdf8b34e4b2d33b6d37) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Alexander Kanavin
committed by
Richard Purdie
Richard Purdie
parent
5e71dde477
commit
8111876d1c
@@ -1,105 +0,0 @@
|
||||
From 47e5dec521ab6243c9b249dd65b93d232d90d6b1 Mon Sep 17 00:00:00 2001
|
||||
From: Jan Dittberner <jan@dittberner.info>
|
||||
Date: Thu, 25 Aug 2016 17:13:49 +0200
|
||||
Subject: [PATCH] Apply patch to fix CVE-2016-6318
|
||||
|
||||
This patch fixes an issue with a stack-based buffer overflow when
|
||||
parsing large GECOS field. See
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6318 and
|
||||
https://security-tracker.debian.org/tracker/CVE-2016-6318 for more
|
||||
information.
|
||||
|
||||
Upstream-Status: Backport [https://github.com/cracklib/cracklib/commit/47e5dec521ab6243c9b249dd65b93d232d90d6b1]
|
||||
CVE: CVE-2016-6318
|
||||
Signed-off-by: Dengke Du <dengke.du@windriver.com>
|
||||
---
|
||||
lib/fascist.c | 57 ++++++++++++++++++++++++++++++++-----------------------
|
||||
1 file changed, 33 insertions(+), 24 deletions(-)
|
||||
|
||||
diff --git a/lib/fascist.c b/lib/fascist.c
|
||||
index a996509..d4deb15 100644
|
||||
--- a/lib/fascist.c
|
||||
+++ b/lib/fascist.c
|
||||
@@ -502,7 +502,7 @@ FascistGecosUser(char *password, const char *user, const char *gecos)
|
||||
char gbuffer[STRINGSIZE];
|
||||
char tbuffer[STRINGSIZE];
|
||||
char *uwords[STRINGSIZE];
|
||||
- char longbuffer[STRINGSIZE * 2];
|
||||
+ char longbuffer[STRINGSIZE];
|
||||
|
||||
if (gecos == NULL)
|
||||
gecos = "";
|
||||
@@ -583,38 +583,47 @@ FascistGecosUser(char *password, const char *user, const char *gecos)
|
||||
{
|
||||
for (i = 0; i < j; i++)
|
||||
{
|
||||
- strcpy(longbuffer, uwords[i]);
|
||||
- strcat(longbuffer, uwords[j]);
|
||||
-
|
||||
- if (GTry(longbuffer, password))
|
||||
+ if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE)
|
||||
{
|
||||
- return _("it is derived from your password entry");
|
||||
- }
|
||||
+ strcpy(longbuffer, uwords[i]);
|
||||
+ strcat(longbuffer, uwords[j]);
|
||||
|
||||
- strcpy(longbuffer, uwords[j]);
|
||||
- strcat(longbuffer, uwords[i]);
|
||||
+ if (GTry(longbuffer, password))
|
||||
+ {
|
||||
+ return _("it is derived from your password entry");
|
||||
+ }
|
||||
|
||||
- if (GTry(longbuffer, password))
|
||||
- {
|
||||
- return _("it's derived from your password entry");
|
||||
- }
|
||||
+ strcpy(longbuffer, uwords[j]);
|
||||
+ strcat(longbuffer, uwords[i]);
|
||||
|
||||
- longbuffer[0] = uwords[i][0];
|
||||
- longbuffer[1] = '\0';
|
||||
- strcat(longbuffer, uwords[j]);
|
||||
+ if (GTry(longbuffer, password))
|
||||
+ {
|
||||
+ return _("it's derived from your password entry");
|
||||
+ }
|
||||
+ }
|
||||
|
||||
- if (GTry(longbuffer, password))
|
||||
+ if (strlen(uwords[j]) < STRINGSIZE - 1)
|
||||
{
|
||||
- return _("it is derivable from your password entry");
|
||||
+ longbuffer[0] = uwords[i][0];
|
||||
+ longbuffer[1] = '\0';
|
||||
+ strcat(longbuffer, uwords[j]);
|
||||
+
|
||||
+ if (GTry(longbuffer, password))
|
||||
+ {
|
||||
+ return _("it is derivable from your password entry");
|
||||
+ }
|
||||
}
|
||||
|
||||
- longbuffer[0] = uwords[j][0];
|
||||
- longbuffer[1] = '\0';
|
||||
- strcat(longbuffer, uwords[i]);
|
||||
-
|
||||
- if (GTry(longbuffer, password))
|
||||
+ if (strlen(uwords[i]) < STRINGSIZE - 1)
|
||||
{
|
||||
- return _("it's derivable from your password entry");
|
||||
+ longbuffer[0] = uwords[j][0];
|
||||
+ longbuffer[1] = '\0';
|
||||
+ strcat(longbuffer, uwords[i]);
|
||||
+
|
||||
+ if (GTry(longbuffer, password))
|
||||
+ {
|
||||
+ return _("it's derivable from your password entry");
|
||||
+ }
|
||||
}
|
||||
}
|
||||
}
|
||||
--
|
||||
2.8.1
|
||||
|
||||
+6
-6
@@ -1,7 +1,7 @@
|
||||
From 8a6e43726ad0ae41bd1cc2c248d91deb31459357 Mon Sep 17 00:00:00 2001
|
||||
From aae03b7e626d5f62ab929d51d11352a5a2ff6b2d Mon Sep 17 00:00:00 2001
|
||||
From: Lei Maohui <leimaohui@cn.fujitsu.com>
|
||||
Date: Tue, 9 Jun 2015 11:11:48 +0900
|
||||
Subject: [PATCH] packlib.c: support dictionary byte order dependent
|
||||
Subject: [PATCH 1/2] packlib.c: support dictionary byte order dependent
|
||||
|
||||
The previous dict files are NOT byte-order independent, in fact they are
|
||||
probably ARCHITECTURE SPECIFIC.
|
||||
@@ -22,11 +22,11 @@ Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
||||
|
||||
Signed-off-by: Lei Maohui <leimaohui@cn.fujitsu.com>
|
||||
---
|
||||
lib/packlib.c | 214 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++--
|
||||
lib/packlib.c | 214 +++++++++++++++++++++++++++++++++++++++++++++-
|
||||
1 file changed, 210 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/lib/packlib.c b/lib/packlib.c
|
||||
index f851424..3aac805 100644
|
||||
index 8acb7be..a9d8750 100644
|
||||
--- a/lib/packlib.c
|
||||
+++ b/lib/packlib.c
|
||||
@@ -16,6 +16,12 @@
|
||||
@@ -317,7 +317,7 @@ index f851424..3aac805 100644
|
||||
+ fwrite((char *) &tmpdatum, sizeof(tmpdatum), 1, pwp->ifp);
|
||||
|
||||
fputs(pwp->data_put[0], pwp->dfp);
|
||||
putc(0, pwp->dfp);
|
||||
putc(0, (FILE*) pwp->dfp);
|
||||
@@ -464,6 +668,7 @@ GetPW(pwp, number)
|
||||
perror("(index fread failed)");
|
||||
return NULL;
|
||||
@@ -335,5 +335,5 @@ index f851424..3aac805 100644
|
||||
|
||||
int r = 1;
|
||||
--
|
||||
1.8.4.2
|
||||
2.20.1
|
||||
|
||||
|
||||
+5
-5
@@ -1,7 +1,7 @@
|
||||
From 06f9a88b5dd5597f9198ea0cb34f5e96f180e6e3 Mon Sep 17 00:00:00 2001
|
||||
From 7250328d7f77069726603ef7132826c9260d3c92 Mon Sep 17 00:00:00 2001
|
||||
From: Hongxu Jia <hongxu.jia@windriver.com>
|
||||
Date: Sat, 27 Apr 2013 16:02:30 +0800
|
||||
Subject: [PATCH] craklib:fix testnum and teststr failed
|
||||
Subject: [PATCH 2/2] craklib:fix testnum and teststr failed
|
||||
|
||||
Error log:
|
||||
...
|
||||
@@ -18,8 +18,8 @@ Set DEFAULT_CRACKLIB_DICT as the path of PWOpen
|
||||
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
||||
Upstream-Status: Pending
|
||||
---
|
||||
util/testnum.c | 2 +-
|
||||
util/teststr.c | 2 +-
|
||||
util/testnum.c | 2 +-
|
||||
util/teststr.c | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/util/testnum.c b/util/testnum.c
|
||||
@@ -49,5 +49,5 @@ index 2a31fa4..9fb9cda 100644
|
||||
perror ("PWOpen");
|
||||
return (-1);
|
||||
--
|
||||
1.7.10.4
|
||||
2.20.1
|
||||
|
||||
|
||||
+10
-7
@@ -9,19 +9,22 @@ DEPENDS = "cracklib-native zlib"
|
||||
|
||||
EXTRA_OECONF = "--without-python --libdir=${base_libdir}"
|
||||
|
||||
SRC_URI = "${SOURCEFORGE_MIRROR}/cracklib/cracklib-${PV}.tar.gz \
|
||||
SRC_URI = "git://github.com/cracklib/cracklib;protocol=https;branch=master \
|
||||
file://0001-packlib.c-support-dictionary-byte-order-dependent.patch \
|
||||
file://0001-Apply-patch-to-fix-CVE-2016-6318.patch \
|
||||
file://0002-craklib-fix-testnum-and-teststr-failed.patch"
|
||||
|
||||
SRC_URI[md5sum] = "376790a95c1fb645e59e6e9803c78582"
|
||||
SRC_URI[sha256sum] = "59ab0138bc8cf90cccb8509b6969a024d5e58d2d02bcbdccbb9ba9b88be3fa33"
|
||||
|
||||
UPSTREAM_CHECK_URI = "http://sourceforge.net/projects/cracklib/files/cracklib/"
|
||||
UPSTREAM_CHECK_REGEX = "/cracklib/(?P<pver>(\d+[\.\-_]*)+)/"
|
||||
SRCREV = "f83934cf3cced0c9600c7d81332f4169f122a2cf"
|
||||
S = "${WORKDIR}/git/src"
|
||||
|
||||
inherit autotools gettext
|
||||
|
||||
# This is custom stuff from upstream's autogen.sh
|
||||
do_configure:prepend() {
|
||||
mkdir -p ${S}/m4
|
||||
echo EXTRA_DIST = *.m4 > ${S}/m4/Makefile.am
|
||||
touch ${S}/ABOUT-NLS
|
||||
}
|
||||
|
||||
do_install:append:class-target() {
|
||||
create-cracklib-dict -o ${D}${datadir}/cracklib/pw_dict ${D}${datadir}/cracklib/cracklib-small
|
||||
}
|
||||
Reference in New Issue
Block a user